----- Original Message ----- From: "Neil Munro" <neilmu...@gmail.com> To: "Tomcat Users List" <users@tomcat.apache.org> Sent: Friday, March 16, 2012 10:56:56 AM Subject: Re: Tomcat, JSP and LDAP
On 16 March 2012 14:41, Pid <p...@pidster.com> wrote: > On 16/03/2012 14:13, Neil Munro wrote: >> I have since made some minor progress with LDAP query's this login.jsp >> file as you can see query's for a list of valid users and creates a >> drop down list to choose from >> >> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" >> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> >> <%@page >> import="javax.naming.*,javax.naming.directory.*,java.util.ArrayList;"%> >> <html> >> <head> >> <title>Login</title> >> </head> >> <body> >> <form method="POST" action="j_security_check"> >> <select> If you're intending this to replace the standard login form's user name input text box then you'll need to set the name attribute of the select tag to 'j_username'. Like this... <select name="j_username"> Dan > > What are you expecting this select element to do? To do exactly what it does do, allow me to select from a list of users that's generated from the below jsp. It's about the only thing in my code that does work :S > > > p > >> <% >> DirContext ctx = new InitialDirContext(); >> NamingEnumeration answer = >> ctx.search("ldap://my.ldap.server.com:389/ou=my company >> users,dc=mycompany,dc=com","(uid=*)", null); >> ArrayList<String> als = new ArrayList(); >> >> >> while(answer.hasMore()) { >> // Take line in as string >> String output = >> answer.next().toString(); >> >> String[] tokens = output.split(","); >> for (String t : tokens) { >> if( t.contains("uid=uid:")) { >> String[] ids = >> t.split(" "); >> als.add(ids[2]); >> } >> } >> } >> >> for(String s: als) { >> out.println("<option>" + s + >> "</option>"); >> } >> >> // Close the context when we're done >> ctx.close(); >> %> >> </select> >> <br> >> <input type="password" name="j_password"> >> <br> >> <input type="submit"> >> </form> >> </body> >> </html> >> >> I am however still not able to get the server.xml file working with >> the realms, I did discover through some trial and error that my own >> ldap user had not been set up right and my system admin kindly fixed >> it for me, which could have lead to some working code not to work. >> >> This is how it currently works: >> <Realm className="org.apache.catalina.realm.JNDIRealm" >> connectionName="uid={0},ou=my company >> users,dc=mycompany,dc=com" >> connectionPassword="userPassword" >> connectionURL="ldap://my.ldap.server.com" >> alternateURL="ldap://my.ldap.server.com" >> roleBase="ou=my company >> users,dc=mycompany,dc=com" >> roleName="cn" >> roleSearch="(uniqueMember={0})" >> userPattern="uid={0},ou=my company >> users,dc=mycompany,dc=com" /> >> >> On 16 March 2012 12:05, Pid <p...@pidster.com> wrote: >>> On 16/03/2012 10:23, Neil Munro wrote: >>>> On 15 March 2012 18:24, Christopher Schultz >>>> <ch...@christopherschultz.net> wrote: >>>> Neil, >>>> >>>> On 3/15/12 1:05 PM, Neil Munro wrote: >>>>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" >>>>>>> connectionURL="ldap://my.ldap.server.com" >>>>>>> alternateURL="ldap://my.ldap.server.com" userPattern="uid={0},ou=my >>>>>>> company users,dc=mycompany,dc=com" /> >>>>>>> >>>> >>>> The "debug" attribute does not exist any more. Were you following some >>>> kind of old example? >>>> >>>>> Yeah I must have been, I have removed it. >>>> >>>> >>>> I think you may need roleBase, roleName, and roleSearch attributes to >>>> have a prayer of making this work. Also, with no userSearch parameter, >>>> you are instructing the realm to connect in "bind" mode where the >>>> user's credentials are used directly to bind to the LDAP server. Is >>>> this appropriate? >>>> >>>>> <Realm className="org.apache.catalina.realm.JNDIRealm" >>>>> connectionName="uid={0},ou=my company users,dc=mycompany,dc=com " >>>>> connectionPassword="userPassword" >>>>> connectionURL="ldap://my.ldap.server" >>>>> alternateURL="ldap://my.ldap.server" >>>>> roleBase="ou=my company users,dc=mycompany,dc=com" >>>>> roleName="cn" >>>>> roleSearch="(uniqueMember={0})" >>>>> userPattern="uid={0},ou=my company users,dc=mycompany,dc=com" /> >>>> >>>>> I have added those changes, as for which connection mode I need, I >>>>> think bind would be ok for now just to check to see if I can establish >>>>> a connection, but looking at it I think if I will be querying ldap for >>>>> a user name and password then comparison mode is what I need. >>>> >>>>> However with this configuration my whole app become inaccessible, I >>>>> imagine it's some form of protection or permissions thing, but in my >>>>> floundering around trying things, this is the only thing that seems to >>>>> have any effect on the whole app. >>>> >>>> You might want to re-read this section of the realm-howto: >>>> >>>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >>>> >>>> Can you run any queries against the LDAP server outside of Tomcat that >>>> give you results that you might expect? For instance, can you do a >>>> search of the LDAP tree for a particular user? What does that query >>>> look like? When you do that search, are you using anonymous bind or >>>> are you using user bind? If user, which user? Some administrative user >>>> or the user whose credentials should be checked? >>>> >>>>> I can connect with a tool called JXplorer, but I have not had any luck >>>>> from other applications, but that's due to inability to find any up to >>>>> date documentation on the libraries I was using. >>>> >>>>>>> <login-config> <auth-method>FORM</auth-method> <form-login-config> >>>>>>> <form-login-page>/login.jsp</form-login-page> >>>>>>> <form-error-page>/fail_login.jsp</form-error-page> >>>>>>> </form-login-config> </login-config> >>> >>> Side note: I usually recommend putting those files in WEB-INF, in their >>> own directory, say: WEB-INF/login. >>> >>> p >>> >>>> That looks just fine: configuring the credential-gathering system is >>>> usually trivial. It's configuring the authentication system that is >>>> usually the problem. >>>> >>>>> Cool, at least some of this is working right, do you need to see those >>>>> files btw? >>>> >>>> >>>> -chris >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>>> For additional commands, e-mail: users-h...@tomcat.apache.org >>>> >>> >>> -- >>> >>> [key:62590808] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > -- > > [key:62590808] > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org